Cyber Posture

CVE-2026-24017

High

Published: 10 March 2026

Published
10 March 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 34.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

An Improper Control of Interaction Frequency vulnerability [CWE-799] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow a remote unauthenticated attacker to bypass the…

more

authentication rate-limit via crafted requests. The success of the attack depends on the attacker's resources and the password target complexity.

Mitigating Controls (NIST 800-53 r5)AI

AC-7 Unsuccessful Logon Attempts good match
prevent

Enforces limits on consecutive unsuccessful logon attempts, directly countering brute-force attacks enabled by bypassing FortiWeb's authentication rate-limit.

SC-5 Denial-of-service Protection partial match
prevent

Provides denial-of-service protection mechanisms like rate limiting to restrict excessive crafted requests that exploit the interaction frequency vulnerability.

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and remediation of software flaws such as this improper control of interaction frequency in FortiWeb.

Security SummaryAI

CVE-2026-24017 is an Improper Control of Interaction Frequency vulnerability (CWE-799) in Fortinet FortiWeb versions 8.0.0 through 8.0.2, 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11. Published on 2026-03-10, it allows a remote unauthenticated attacker to bypass authentication rate-limiting via crafted requests. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts under network access with high attack complexity.

A remote unauthenticated attacker can exploit this vulnerability by crafting requests that evade the authentication rate-limit controls. This enables accelerated authentication attempts, such as brute-force attacks against login mechanisms. The attack's success hinges on the attacker's available resources and the complexity of the targeted password.

Fortinet's advisory FG-IR-26-082, available at https://fortiguard.fortinet.com/psirt/FG-IR-26-082, provides details on the vulnerability. Security practitioners should review this reference for recommended mitigations and patching guidance.

Details

CWE(s)
CWE-799

Affected Products

fortinet
fortiweb
7.0.0 — 7.0.12 · 7.2.0 — 7.2.12 · 7.4.0 — 7.4.11

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
attack.mitre.org →
Why these techniques?

Vulnerability in public-facing FortiWeb enables exploitation (T1190) and bypasses rate-limiting to facilitate brute-force authentication attacks (T1110).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References